“Cyber/Space, EMP Insecurity – Current and Future Threats”
A Roundtable
September 30th, 2013
Key Elements of Energy Security
by Ambassador R. James Woolsey
ACD Board Member – Former Director of Central Intelligence, and Chairman, Foundation for Defense of Democracies
The Video Presentation: Click here to play
First of all, I just want to welcome everybody. After I look around here, I feel like I’m a junior participant in the flood trying to chair a discussion among a group of Noahs. You folks really have an extraordinary range of backgrounds in the issues that are facing us. I got to know Rachel a few years ago when a Saudis, in an effort to exploit the extremely plaintiff-friendly libel laws of Great Britain, decided to use a few trillion of their dollars and to expand their power and authority to harass American writers, not having been satisfied with having had a burning at Cambridge University of a book that was critical of them.
This massive machine was on one side, and on the other were, for a time, several major U.S. publications, famous leading newspapers and magazines. They all caved. One person didn’t cave. She’s sitting on my left. She took on the Saudis and their trillions and she basically won. Rachel’s law is now law in New York, some twelve other states and more importantly the federal SPEECH Act of 2010.
She changed a lot with her incredible stubbornness and intelligence and ability. But I’ve got to say, I think stubbornness, for me, is an extremely positive virtue. And Rachel certainly demonstrated it in this. The American Center for Democracy, which I am on the board of and which she chairs, has done a great deal to bring issues such as economic warfare to the front of policy makers’ discussions here in Washington. We had several sessions, the first session chaired by Senator John Kyl in July 2012, more recently we discussed these issues at George Mason University with Rep. Mike Rogers, chair of House Intelligence Committee and others—on EMP and cyber issues.
ACD published over 500 articles on these and related issues in their daily blog. And they are also focused heavily on terrorist financing, on the financial picture of what’s happening with the radical Islamist movement such as the Brotherhood and Al Qaeda, Lebanon’s Hezbollah, not only in the Middle East but well beyond. Rep. Randy Weber of the 14th District of Texas, was supposed to join us today, but apparently is held up in Congress. He is the Vice Chairman of the Energy Subcommittee, is also on the House Committee on Science, Space, and Technology, and is Vice Chairman of the Subcommittee on Africa and Global Human Rights, as well as on the International Organization’s Subcommittee of the Committee of Foreign Affairs. He has a lot of positions to which what we’re doing here today is relevant. If we should miss him today, we’ll find an opportunity to get together with him separately.
In the meantime, let me just say a very quick word about the scope of what we hope to talk about and swap some ideas with you. First of all, as Peter Pry keeps saying — and hopefully is succeeding in restructuring the terminology to some extent — when we talk about cyber, we should include electromagnetic pulse. It is so included by the Chinese, the Russians, the North Koreans, and the Iranians, and not because cyber and EMP are exactly the same thing, but because their functions have sort of total information warfare overlap.
And some of the technologies that are relevant to one are relevant to the other. And some of the protective technologies that are relevant to one are relevant to the other. So although one important focus is to ensure that when people don’t spend much time on security and focus their attention on “smart grids” and kind of blink like deer in the headlights when you tell them that the way they’re doing their smart grids looks like it’s not only going to be possible for you to turn down the thermostat in your house via your cell phone, but a teenager in Shanghai could do the same thing to your house, and perhaps other far more mischievous undertakings.
Most of the people who work on cyber security, and particularly who are interested in smart grid, are very difficult to yaw around to focusing on some of the security aspects rather than just the technological “whee, isn’t it fun, look what we can do with the internet smart grid.” So we plan to look at traditional cyber, but also of course at EMP, both solar-caused and malevolently caused, and that is a huge subject, one that is just beginning to break into the public discussion. It’s been helped immeasurably, Bill [Fortschen], by your writings, by your novel and others. There are just a lot people that are – Peter Pry – who have started in one way or another bringing this issue to the fore.
It is insidious because if you look at the vulnerability from intentionally-caused EMP, it’s a much simpler task than designing and developing and testing and targeting an ICBM or an SLBM that can hit a target on the ground. If all you have to do is get 30 clicks or more up into space and get in some rough orbit and get over some portion of the United States and detonate — either salvage-fused if somebody shoots something at you, or just detonate — you could have a massive effect without being accurate at all, and even try a shot around the South Pole, and if that doesn’t work, don’t say anything and go try another one later. There are just a number of vulnerabilities that stem from the nature of electromagnetic pulse that people really are so appalled by they often don’t want to deal with the matter at all.
And in some ways, this is our biggest problem. That some of the difficulties that we face, here, in particular the takedown — the comparatively easy takedown — of major portions of (or even, in some circumstances, all of) the North America electrical grid creates a situation where people just say: “This is just too hard, this is just too massive, it’s too scary, I’m going to go do something else.” Part of what we need to do is make sure people understand that in a lot of circumstances, we’re talking about the massive expenditure of roughly 20 cents per electricity consumer per year on some of the important types of steps that can usefully be taken. So part of what we need to do is understand the way one can utilize technology in a very affordable way to make a real difference in our vulnerabilities to cyber and related threats.
I want to close by just saying a word about the issue of physical survivability of the grid. I got a call from Emery Levens a few months ago — he’s an old friend of my wife’s and mine and has his finger in lots of pots. He said: Jim, do you realize there was an attack just north of San Jose cutting out the 911 emergency call capacity and taking out 17 of the 20 transformers that supply the electricity to the valley? And I said: “Duh, no. Didn’t know.” Turned out it was covered in the San Jose Press a little bit, kinda sorta, as vandalism at the electrical facility. But if you look back at the films that were taken, this and that and the other thing, it turns out there were three or four extremely disciplined guys with AK47s.
The timing was perfect, deployment was perfect, destruction of the 911 system was perfect except they couldn’t get at the 911 calls that went from cell phones. One person did hear the rifle fire that was going after the transformers, and did channel some people from the electrical company to see what was going on. Actually, the highway patrol came by first, and they didn’t see anything wrong. They didn’t know what a transformer was or why it wouldn’t have holes in it or should not have holes in it. So they kind of went on. And finally, PEPCO, I guess it was, showed up several hours later and realized how close they had come — this group had come — to taking out 17 of the 20 of the transformers for Silicon Valley.
A piece on the web within the last few days indicates that something rather similar, a month or so ago, happened in Arkansas. The San Jose attack, by the way, happened the day after the Boston Marathon bomb explosion, so it might have been timed very carefully to go along with that. So although it’s not quite at the level of ability to destroy and take down systems that one would see from an electromagnetic pulse shot or a very clever cyber attack, physical attacks are possible. Again, like cyber and EMP, some of the fixes are really pretty simple and pretty cheap.
A lot of these fixes are not necessarily perfect fixes, but they’re things like taking a transformer that has fulfilled most of its useful life but still has some utility left and putting it in, say, a little stone house somewhere near where it’s needed instead of throwing it away or disposing of it. There are a number of steps that one can take in this overall area of vulnerability of the grid.
Welcome to the Age of Space and Cyber Warfare
By M. V. “Coyote” Smith
Colonel, USAF, Professor of Strategic Space and Cyber Studies, School of Advanced Air and Space Studies, Air University, Maxwell Air Force Base
The Video Presentation: Click here to play
I’m Colonel-Doctor ‘Coyote’ Smith, a professor of strategic space and cyber studies at the School of Advanced Air and Space Studies at Air University on Maxwell Air Force Base in beautiful Montgomery, Alabama. Our school, ‘SAASS’ as we call it, is where our Air Force educates a small, hand-picked student body of majors and lieutenant colonels at the masters- and PhD-levels to serve as strategists within our services.
I must thank Rachel Ehrenfeld and the American Center for Democracy for hosting this Washington Roundtable on this critical set of issues that challenge American, allied, and global security. It is an honour for me to speak to this gathering of accomplished and distinguished people, especially appearing along side William Scott and William Forstchen, authors of two of the most popular books in our courses on space and cyber, respectively. The lessons I learn here from all of you will immediately inform our curriculum at SAASS and Air University as we endeavour to sharpen the minds of our warfighters to meet the challenges of our uncertain future.
I must point out that due to the magic of sequestration that I am here on leave today and am enjoying my personal time greatly. As such, I am not representing the Air Force or any part of the US government in any way. The observations and opinions that I provide here are my own and do not represent necessarily the official positions or policies of the US government-although the speaker asserts that they ought to be!
All of the information I will provide here is unclassified. My sources are discoverable on the open Internet and in public forums. I encourage all of you to fact check me. Any misrepresentations I might make are my fault entirely.
Please, feel free to point out any such mistakes.
My presentation is titled, “Welcome to the Age of Space and Cyber Warfare.” It is a long overdue welcome, as we have been living in the age of space and cyber warfare for over 30 years. It has not received much attention, because it takes place out-of-sight and therefore out-of-mind. Real space warfare and the fact that it has been underway for decades is almost beyond the public’s imagination.
In fact the common conception of space warfare is grossly misrepresented in science fantasy novels, movies, TV shows, and propelled even further by outlandish claims by the arms control community that space warfare necessarily involves blowing-up satellites in orbit and creating cascading fields of debris. They point to the so-called Chinese anti-satellite test of 2007 as an example of a space weapon, but such a weapon is more likely a missile defense system than an anti-satellite weapon. Why do we think this? Because soldiers are smart enough not to plant a mine field inside their own camp. Sailors know enough not to randomly mine their own harbors. Likewise space professionals, in all countries who reply on space even a little bit, know enough not to create space debris that could ruin for decades their access to space and that of everyone else. Those countries that do not rely on space to any extent are unlikely to master the technology or be able to afford destructive CounterSpace weapons. The process of developing rockets, satellite interceptors, and fielding and sustaining such systems costs billions of dollars. There are exponentially cheaper options, such as jammers, that are far more reliable and can be employed with a high degree of deniability in many circumstances. Such is the nature of space warfare.
When I say warfare, I am speaking in the classical Western Clauswitzian sense of warfare, which is the use of martial engagement for political purpose. Satellites have been engaged for years for political purpose to deny or disrupt adversaries’ space-based sensors from collecting certain information and routing that and other data to their users. Satellites are little more than computers placed in orbit with very long and very vulnerable wifi-like data links to ground stations and users.
Instead of blowing-up satellites and creating unwanted space debris with rockets and interceptors, we are witnessing a proliferation of ground-based jammers, lasers, data insertion and data corruption devices and techniques, as well as other directed energy weapons that are exceedingly cheap and able to be executed covertly. In fact, our satellites-American and allied-experience interference on a regular basis, but we often find it difficult to attribute the interference to the precise actor. In part this is because nations routinely probe the capabilities of potential adversaries-think of Soviet and now Russian bombers testing our air defenses-but the entry cost for jamming a satellite is so low and the intelligence for doing so is available on the Internet, that we are witnessing non-government organizations and even individuals interfering with satellite operations. However, the US and other nations who experience disruptions from interference with our space systems seldom speak out about it even when confirmed and attributed because the tendency is to deny attackers intelligence about the effect of their attacks. An exception to this came a few years ago when the director of the National Reconnaissance Office complained publicly about Chinese lasers engaging our imagery satellites. Enough, was enough.
At a 2011 conference in Luxembourg hosted by the Eisenhower Center for Space and Defense Studies, a representative from the United Nations International Telegraphic Union reported that his organization receives over 200 satellite frequency interference complaints daily. In their estimation perhaps only 7 percent of such complaints are the result of intentional jamming or other interference. That means there are over 14 cases of space warfare or criminal interference occurring daily-that get reported.
Consider the following examples that have been reported in the news within the last decade. The Chinese dissident group Falun Gong actually overpowered a state-owned satellite and broadcast their messages over the top of the authorized signal. The former Libyan government jammed British satellite broadcasting of offensive programming into their country. Iran has become a powerhouse in this area, not only jamming satellite broadcasts of Western news into their region regularly, but they have also engaged American and other satellites to jam satellite data links used to command remotely piloted vehicles in the Middle East. The Iranians even went so far as to send a small team of people to Cuba secretly to jam American satellite data links. It took a concerted effort between the US and Cuba to figure out the situation and for Cuba to eject the perpetrators diplomatically. This is the face of space warfare. Not the grandiose visions of blowing things up in space.
Space warfare is not executed for its own purpose. It is done because a contest of wills exists on Earth between two or more polities or non-state actors. It is done to prevent flows of information, in a non-lethal, and non-damaging manner, which is the criteria required in the Law of Armed Conflict. The Law of Armed Conflict places a moral burden on nation-states to achieve their objectives in a manner that prevents loss of life, undue human suffering, or damage to property. To date, space warfare and cyber warfare are machine-on-machine engagements that meet or exceed the international community’s requirements for morality in warfare. The alternative is blowing up ground stations and the users of information-people and property. In short, negating satellites saves lives.
What we think of today as cyber warfare has really evolved out of space warfare. As personal computers, the Internet, and the various means of connecting them became prolific on Earth in recent years, the various warfare techniques used in space-and other terrestrial forms of electronic warfare–migrated to cyber. We are all very familiar with examples of cyber warfare. Examples include the Russian use of cyber warfare against Georgia in their recent conflict to essentially put down Georgian information networks, their command and control systems, along with the Internet and most everything connected to it. What makes this example particularly interesting was how the Russians went about it. They simply encouraged private hactivists to engage Georgian cyber systems. It was a free-for-all. This resulted in a very effective removal of Georgia from the grid, with very little Russian investment in this success.
Cyber warfare is clear in our minds, but the Russian example points to another interesting phenomenon that we are seeing in space and cyber warfare. We find ourselves living in the age of the super-empowered individual. Space and cyber capabilities that only nation-states possessed even as late as a few years ago now reside within the grasp of anyone with access to the internet-for intelligence, operational command-and-control, and execution of various cyber techniques that can destroy, degrade, deny, disrupt, or deceive targeted equipment and the services they provide.
The relationships between space and cyber warfare are relatively clear, and this explains, partly, why the Air Force has vested its space and cyber assets in a single major command. Both space and cyber warfare present us with similar problems. First, attacks can be exceptionally difficult to detect. Systems can fail or have glitches for any number of reasons. Detecting an intentional attack is made even more difficult if the attack occurred months or even years earlier when some line of malicious code was inserted into software waiting to time-out or for some signal to be given. This brings us to the second big problem once an attack has been detected; attributing it correctly to the actual aggressor-knowing full well that the aggressor might do everything in its power to implicate an innocent party. Iran’s covert use of Cuban soil is just one example of what is seen commonly.
We in the business of space and cyber strategy speak about the Probability of Detection and the Probability of Attribution…and the Probability of Retribution as well. The Probability of Retribution is characterization of likelihood, ways, and means of an adversary’s response for being attacked. This is critical and tricky because the culture and context of each adversary we face will be different, just as America responds differently at different times to different threats and attacks. These are points upon which we are concentrating a great deal of energy.
This is of increasing importance as we “pivot” our national security attention more towards the East. Asian Strategy is deeply informed by the writings of the ancient theorist, Sun Tzu, who twenty-six centuries ago wrote that “all warfare is based on deception,” in his treatise, The Art of War. Things will not be so clear in Asia as they have been in Europe.
While many speak of developing a deterrence strategy to prevent Chinese and others from attacking our space systems, we risk being misled by false assumptions promulgated by the members of the arms control community. Many of them assert vociferously at every opportunity that space has always been a peaceful sanctuary and that any interference with our satellites will instantly put the US or other world powers on the path to nuclear warfare. We know that both of their premises are false. Space has never been a sanctuary, and interference with satellites is commonplace. As demonstrated daily, such interference does not trigger nuclear wars. Nevertheless, they insist the remedy to their imaginary scenario is to sign-up for all forms of codes of conduct or other arms control agreements. Behind their altruistic shroud seems to lie an agenda aimed at undermining nation-states’ abilities to defend themselves from hostile or unlawful use of space or the systems that operate there. To what end? To whose benefit?
So, where is all of this technology taking us? Anticipating the future is something I’ve been privileged to do as the Director of Dream Works in the Pentagon’s National Security Space Office and later as the Director of the Center for Strategy and Technology where I led the Chief of Staff’s Blue Horizons project. It was my job to meet with ‘mad scientists’ not necessarily to find out how they were progressing with their government or commercial research, but to find out about their passions-what they were working on in their spare time and where they think the technology will lead. One such discovery I made that is starting to make the news is a helmet that can read your thoughts. Yes, I said, ‘read your thoughts.’ I visited a laboratory that was working on improving the brain-mechanical interface to improve the performance of prosthetic limbs. They had taken a bicycle helmet and hollowed out its ribs and inserted electroencephalograph sensors that were connected by wires to a computer.
They are now able to map the firing of neurons and synapses throughout the brain whenever the brain is stimulated. Whenever you see, hear, smell, feel, or taste anything there is a distinct brain pattern that you create in response to that stimulation. What they discovered is that by watching a very simple movie and reading a story, they are now able to use this helmet to map where those specific thoughts and memories generated by the movie are stored in a subject’s brain. After watching the movie, they invite their subjects to have an internal dialog with themselves. While this is going on, the scientists are able to read the stream of conscious thoughts of each subject on a computer screen. It is not perfect, but they can identify what the person is thinking about with roughly 50% accuracy. This is brand new technology that has only existed for months. Where will this technology lead? This offers great hope not only for prosthetic users, but for brain trauma victims, comma patients, and the like. The gaming industry is highly interested in this, as you might imagine!
Combine this with other technology being developed to make truly handless devices-a wifi system that does not work on machine-to-machine interface, but rather from machines directly to the human neural system. Think of wifi between peoples’ nervous systems! What society in general and policy makers in specific need to be thinking about now are the implications of ‘hacking’ peoples’ central nervous systems without their awareness. Stealing their thoughts. Robbing them of mental privacy. Think also about the implications of inserting thoughts directly into their brains, not just as a matter of learning, but programming their thoughts and opinions! This goes on today in the commercial marketplace of advertisement and marketing, but we have a gap between the marketers and ourselves. What if they can manipulate our belief systems without our awareness? Marketing, education, religion, and political campaigning will embrace these technologies.
Will we be ready? I answer this question with a strong ‘maybe.’ I believe we are witnessing the evolution of the sixth medium of warfare. In addition to air, land, sea, space, and cyber, we will soon be fighting in-what shall we call it? Mental space? Psychic space? Neurospace? It is most likely that our authors here with us today will name this new medium for us.
This seems quite scary, far-off in the future, and highly imaginative. However, the devices to make this possible are being developed in garages, on workbenches, and in laboratories today. William Gibson, the author of Neuromancer, the book wherein he coined the term ‘cyberspace,’ tells us, ‘The future is already here. It’s just unevenly distributed.’ This technology is out there and I have given you a glimpse of where I anticipate it heading. It is clear that we will improve our engagement with the future if we study it intently today.
I want to emphasize the importance and credibility of proper future science. I will finish with a little story. The famous physicist, Michio Kaku, passed it along in his book Visions. He tells us that back during the War a Frenchman writing about Paris in the Twentieth Century took note of the developing rocket technology of the day and the mechanical prowess of the Americans. He concluded that America would likely be the first to the Moon, doing so with a multi-stage rocket, blasting three astronauts on their way from Florida, and returning to splash down in the ocean. The Frenchman’s clairvoyance is made even more remarkable by the fact that the year was 1863 and the War was the American Civil War! The Frenchman was Jules Verne, who filled his time interviewing scientists and inventors, pressing them to explain how far the technology they were working on could go. As the late Paul Harvey used to say, ‘And now you know…the rest…of the story.’
In summary, we have been living in the age of space and cyber warfare for a number of decades now. There is no negotiating our way out, and no treaties that can be made to stop it. In fact, in most cases space and cyber warfare is employed in lieu of using lethal and destructive force against people and property.
In an age where super-empowered individuals and groups cannot be deterred, the only way forward is to invest in space and cyber defenses and plan to operate through whatever interference they cause. Eliminating critical dependencies on space and cyber is essential, as well as creating robust terrestrial back-ups for both mediums. We can already glimpse with some discomfort where technology is taking us, but we can begin now to prepare for the emerging realities.
I look forward to learning from the rest of today’s distinguished speakers, and once again, I thank Rachel Ehrenfeld and the American Center for Democracy for having me here today.
“To Live or Not to Live” — Protecting Against EMP Attack
by Dr. William Fortschen
Author of the best selling “One Second After”
The Video Presentation: Click here to play
My background was in the history of technology. And I want to spend just one minute on how I wound up in the field of EMP threat. By a coincidence, on the day that the Congressional report on the threat of Electro MP came out, which was chaired by Congressman Roscoe Bartlett, and it is an honor to share this forum with Dr. Pry was a very key moving force in that report, I happened to be in DC on the same day the report on the threat of EMP was released in 2004. And in a discussion that evening with Newt Gingrich, the comment came up that there was zero response to this report.
Newt asked me to go over to talk to Congressman Bartlett, who inspired me with a very simple observation: that the problem truly is that there’s no constituency. Mention EMP to any group of citizens, and you’re nowhere. Mention any number of other issues: The one I like to point out is (we might recall) that horrific incident about four years back of a woman who was attacked by a chimpanzee and her face was destroyed. Congress passed a law outlawing the ownership of chimpanzees. So you’re safe when you come to my house now. But the point is, what’s the probability threat there of any of us being attacked in such a manner versus the threat of EMP? When writing my novel about EMP, “One Second After,” I was inspired by the classics of my youth, particularly Alas, Babylon and On the Beach.
Thus, I wrote the book with the intent of trying to get a popular novel out there that took a complex issue and put it into a small community, and what happens to each one of us individually. What happens to us, our parents, our children, our town? And the book was 12 weeks on the New York Times bestseller list.
I want to shift into some of the things that, as my background in military history and the history of technology now applies to warfare, and that is the issue of EMP.
EMP is a first-strike weapon. And it’s a technological game changer. Throughout the history of warfare, we have always seen that the losing side in a war often trumps the victor in the next conflict by rethinking the paradigm. A very simple example is Crecyand Agincourt, battles fought during the 100 Years War of the 14th & 15th century where the M-1 tanks of their time, the French armored nobility, suddenly encountered English longbow men.
Thus we see all the way to the present a technology that’s been dismissed (or recently realized) that trumps what’s considered to be the existing, dominant force on the battlefield. What is the primary issue that Sun Tzu talks about – and almost every military writer after him – regarding the opening moves of warfare? The destruction of command and control. If you can shut down the command and control of your opponent, you have pretty well won the day before battle is even joined. What is the best way, currently, to take out command and control? It would be cyber attack or EMP.
I was thinking last night about something of the issue of morale. I recently read that what really broke the morale of the average German soldier – starting around 1943 – was not necessarily their being pushed back in North Africa or the debacle on the Eastern front. It was men going home on furlough or wounded or getting letters and seeing that city after city after city was getting leveled. While they fought on the front lines, their wives, their children, their families, their homeland was being flattened. That was a crucial factor in breaking the morale of the German troops. I remember talking with a German soldier, a veteran of the Russian front, who said the most terrifying experience of his life was that he happened to be in Hamburg when it was hit. He said it shook him for the rest of the war.
He realized they were going to lose, as he put it. We see regarding command and control, a first strike via EMP or cyber attack as a decapitation of information. But it also strikes morale. And then you have societal breakdown. We need not go through an exercise here of what happens if the electricity turns off in the next minute and what happens to this city within the hour.
But, as an old hero of mine, Rod Serling, once said: “Presented for your consideration.” I present for your consideration what if on 9/11, we all saw the first minute of the impact on the second World Trade Center tower and the Pentagon. And then the entire news grid went down. Think of the panic that would have struck across the country within the hour. We have been used to ever since the age of technology – excuse me, actually since the advent of telegraphy – to having instant access to information. Particularly within the last 15 years. I’m a college teacher. If my kids walk out of the classroom (or even in the classroom) and they can’t immediately text their boyfriend or their parents, they’re throwing a panic attack. Think of the shutdown of command and control but also the communication grid of a civilian society. What happens next? It’s a grim proposition.
One of the things that I found difficult in communicating the threat of EMP and cyber attack is that the mere discussion of it often brings on a certain level of shock and resulting non-responses. A good analogy to that is what the film On the Beach created. How many of you have actually seen the film On the Beach? I read an article a while back pointing out that On the Beach was a contributing factor in the shutting down of the American Civil Defense system that had been developed in the ’40s and the ’50s. The reason being that when On the Beach came out, it presented such an overwhelming, catastrophic view of thermonuclear war as a planet-destroying event, that the attitude then became: “Why in hell are we even bothering to try and prepare our infrastructure, build command and control centers, dig bunkers in back yards? It’s all meaningless.”
The infamous line: “The living will envy the dead.” That is the problem that we here face today. How do we convince the general populus, voters, the people up on the Hill, that the cyber threats that you’re talking about – which sound sci-fi to some, how do we convince them that these are real and that in preparing for such an event we might actually prevent an enemy from attempting it? It seems so overwhelming that most people react with: “Oh, hell, somebody else will figure it out.” Or: “I’ll go back to my Xbox.”
I do see glimmers of hope. There are constituencies that are starting to react. How many of you are familiar with the fact that the state of Maine has actually passed a bill to start infrastructure hardening. The state representative who wrote the bill read my book and decided to respond protectively rather than give into passive inaction. The same is about to happen in my home state of North Carolina. I’d like to introduce my friend Sid Morris, from Charlotte, North Carolina, who is with us today. Sid’s NOAH Foundation is working aggressively with the State of North Carolina, and also with Duke Energy. I think we’re going to be on the edge of agreements both with Duke and with the governor of North Carolina and in turn our state legislators. North Carolina will thus start to prepare as well. So even if we’re not seeing success at the federal level, we are starting to see success at the state level.
[Moderator Rachel Ehrenfeld asks what NOAH is doing. Fortschen responds.]
They are working on developing survivable infrastructure. Developing command and control nodes that are survivable, addressing issues of cyber security, and hardening infrastructure against EMP. That’s the goal that the NOAH Foundation – they’re just down the road from me and they operate politically and within the community.
We’re having a remarkable experience here, today. But we’re all preaching to the choir. How do we build a broader constituency to react to make sure devastation via EMP doesn’t happen? Or better yet, to create such a sound infrastructure that an opponent dare not risk such an attack as a first strike, knowing the impact will be minimal and the response overwhelming. Thank you for the honor of being here.
EMP & Nuclear Proliferation Threats
by Dr. Peter Pry
President of EMPACT America and former Director of U.S. Nuclear Strategy Forum
The Video Presentation: Click here to play
I am the Executive Director of the Task Force on National and Homeland Security, which is a congressional advisory board. And before that, I worked on the House Armed Services Committee, and before that the CIA. I’ve spent all of my professional life working on weapons of mass destruction, including EMP. EMP is the threat that’s always concerned me the most because it was the least understood and it can do the most damage with the smallest investment. But I think all of us here seem to be experts on EMP now.
On EMP, China and Russia are light years ahead of us . On the Congressional EMP Commission, we found that Russia has developed what they call a Super-EMP weapon, a new generation of nuclear weapon specifically designed to create EMP. The Super is basically a gamma ray producer. Very low yield; on the order of a couple kilotons, or even less. And it generates a tremendous EMP pulse, an E-1 pulse of 200 kilovolts per meter, according to Russian military writings. That is for every meter of dimension in the object being attacked, you get 200,000 volts. So if it’s 2 meters long, that’s 400,000. Multiply by 200,000 volts the dimension in meters of the target – that’s the amount of energy. Imagine the energy transferred to power lines or communications lines that can run for kilometers.
The EMP phenomenon begins above an altitude of 30 kilometers. But the ideal attack would be to place one about 400 kilometers within the center of the country. That puts the EMP field down over all 48 contiguous United States. And it would be 100 kilovolts per meter at the horizon with the 200 kilovolt peak field. Russia and China are the only countries in the world that have hardened their infrastructures against EMP. They did it back in the Cold War because they believed you could fight and win a nuclear war. At least the Soviets did. And we now know – fairly recently because it’s only a recent discovery – about the so-called Underground Great Wall in China. The Chinese have built thousands of kilometers of underground facilities very similar to what the Russians and the Soviets before them did. And they have hardened their critical infrastructure.
The Russians told us – we were actually visited by a delegation from Moscow, two Russian generals, their top experts on EMP – to warn the Commission that there had been a technology leak from Russia to North Korea on the secret of the Super-EMP weapon. They predicted – this was in 2004 – that, within a few years, North Korea would be capable of developing a Super-EMP weapon. And a couple of years later in 2006, they did their first [nuclear] test. And all of the tests have been the same. These low-yield weapons, one to three kilotons, the Western press has tended to declare to be failures because the yields were so low. I mean, a nominal atomic bomb should have a yield of about 10 kilotons.
These are on the order of one to two kilotons. And no leakage of radionuclides from the tests, which almost always happens. This indicates something like a pure fusion weapon, which is consistent with the Super-EMP weapon. South Korean military intelligence independently came to the conclusion that Russians were in North Korea helping them develop Super-EMP weapons. Then in 2012, a military commentator for People’s Republic of China said the North Koreans have Super-EMP weapons.
To make matters worse, you don’t actually need a Super-EMP weapon. Any nuclear weapon would do: our electrical grid is not hardened, at all.
Any nuclear weapon detonated anywhere above 30 kilometers over the Eastern U.S. would cause a national catastrophe. You could use a meteorological balloon to get up that high. Last year an acrobat had himself lofted up into the stratosphere by balloon above 30 kilometers with a heavy sky-diving suit demonstrating that you can get heavy objects up to that altitude by balloon. We knew it before he did that. One of our concerns was that you could use a meteorological balloon to lift any kind of warhead up to that altitude, 30 kilometers or higher, and detonate the warhead anywhere over the United States – preferably someplace over the Eastern seaboard, because the Eastern Grid generates 70 percent of our electricity. And the country can’t survive without the Eastern Grid. If you take down the Eastern Grid, all the critical infrastructures are going to collapse.
One of the things that makes this so tragic is there’s really no excuse for the country to be vulnerable to EMP. We have known for decades how to protect military systems against EMP. And it’s far easier to protect the civilian grid. There are things like Faraday cages and surge arresters they could use. At the heart of the grid are EHV transformers, Extremely High Voltage transformers. They are to our civilization what the aqueducts were to the Romans. You can’t have a grid – you can’t have a modern society – without these EHV transformers.
They aren’t built in this country anymore. They were invented here by Nikolai Tesla. They were originally built here. We exported the electric grid to the world. But unfortunately, like so many things, we don’t make EHV transformers here anymore. There’s only two countries in the world that make EHV transformers for export: South Korea and Germany. And the worldwide production of EHV transformers is 180 per year – because the windings have to be done by hand, the old fashioned way, just the way Nikolai Tesla did it. And we have about 3,000 EHV transformers in this country. So it doesn’t take a genius to do the arithmetic that if you lose 1,000 EHV transformers, how many years will it take to replace them? And it doesn’t take a year for people to starve to death massively. This is why the Commission estimated that within a year, given our current state of unpreparedness, millions would starve.
There is also natural EMP – because the sun can do this, too, by means of a Carrington class coronal mass ejection. [Holds up a photograph.] That is an actual photograph of a Carrington class coronal mass ejection taken from a satellite. In December 2012 we entered the solar maximum, which means greater risk of the occurrence of a Carrington class coronal mass ejection. You may not be able to see it, but this little blue dot – that’s the relative size of the Earth compared to one of these coronal mass ejections. So you don’t need to be an astrophysicist to understand that if this hits, it’s going to ruin your whole day. A Carrington event would be even worse than a Super-EMP weapon because it would cause an EMP worldwide and collapse electric grids everywhere.
But yet again, the technology is understood, and it’s relatively inexpensive. We think – the Congressional EMP Commission estimated – that for about $2 billion we could protect the whole country, the entire national electric grid. And as we’ve looked at different plans, we’ve been able to bring the price down so that it’s down now around $500 million. There are many ways of doing it. There are three plans described in my book Apocalypse Unknown about how to protect the country, but we haven’t been able to get Congress to do it.
I’m extremely alarmed at what is not being reported in our newsrooms. And while it’s fascinating to talk about the future, I frankly am increasingly concerned that we may not have any future, given how blind we are about what’s going on and what isn’t being talked about. It’s appalling to me to hear the whole focus on the media reporting and what we’re focused on in this town today is over sequestration, over the budget, whether the government is going to shut down.
Going back I guess four weeks ago, over the past four weeks, things that have happened that I find extremely disturbing but that weren’t reported, or were barely reported in the press. I think it was the 2nd of September, on a Monday, when Israel did an unannounced anti-missile test. It was all over the Russian press, but to my knowledge, not mentioned at all except in an article I wrote for LIGNET. The Russian general staff command post went on alert in response to that Israeli anti-missile test and notified Vladimir Putin that unknown missiles were coming out of the Med, headed towards Syria where they have a fleet.
Now, they likened this – their deputy defense minister – likened this to the January 1995 incident (they did, not me), which was the closest we ever came to a nuclear war. And they reminded the international press that on the 25th of January, 1995, when they had detected an unannounced Norwegian meteorological missile, they had nearly pushed the button because they had not been notified. And they likened this thing that happened back in September to the January, 1995 incident. It was the closest we ever came – it was the only time that all three “Chegets,” which is their equivalent to the U.S. nuclear football, the presidential football, were activated.
The Chief of the General Staff, the Defense Minister, and the President – all three of those Chegets were activated, and basically [Mikhail] Kolesnikov, then the Chief of the General Staff, was yelling at Yeltsin, who was President at the time, ‘Push the button!” And it was only Boris Yeltsin, an alcoholic, who couldn’t believe the United States was going to launch a surprise nuclear attack. He waited and paused for ten minutes. And that’s what spared us. That’s how close we came. And they claim, on the 2nd of September because of what the Israelis did, that this was another incident, a nuclear war scare. Totally unreported.
The Israelis had launched two target missiles. They were testing their anti-missile system. So it was scheduled in advance and the bureaucracy, I guess, just decided – despite the fact that there was a crisis going on in Syria – to launch these two target missiles from the central Mediterranean toward the eastern Med to be intercepted. And the Israelis – only after the Russians came out and made a warning about: hey, who’s launching missiles in the Mediterranean – did they say, well, we did it. And then they declared it was a success.
There’s another event that I’m just sort of amazed at: That is the Russian fleet that nobody seems to think much of. The Russians are closely aligned with Syria, made it clear that their national interests are tied up there. There are probably tactical nuclear weapons on that Russian fleet. Where do our people think these 8,000 tactical nuclear weapons the Russians have are? In storage? We know from their exercises, the military writings, that these things play a very important role in their defense plans. The Moskva, which is now the flagship of the Russian fleet off Syria, during the Cold War, we understood that that thing carried tactical nuclear weapons that had yields of 300 kilotons on anti-ship missiles. So that Russian fleet’s probably got tactical nuclear weapons on it. The whole thing strikes me as being like 1914 all over again.
In Syria the President passed the buck to Congress. And Congress and the President, now that we’re engaged in negotiations, our fleet is still there, we passed the buck to the U.S. Navy and to the Russian fleet as well, who are going to be watching each other because they have no alternative. Both sides, the U.S. and Russian fleets and their military establishments, are watching each other like hawks with their national tactical means, just in case something should happen. What if there’s some kind of a glitch with a satellite? What if Hezbollah or Iran or somebody who would love to see the United States and Russia get into a nuclear war with each other decides to use cyber warfare to try to provoke something? The Iranians have got Silkworm anti-ship missiles from China. They’ve got Sunburn [anti-ship] missiles from the Russians to attack our guys and start a war, like 1914. We’ve got all these actors, many of whom have an interest in seeing us go to war with each other, and nobody’s talking about that.
Let me just step through a couple of other headlines that should have been – things that happened over the past few weeks that have really bothered me that our own Western media has largely ignored. Syria had crossed the chemical redline, but now they’re going to go into negotiation.
North Korea restarted the Yongbyon reactor, and that has gone virtually unreported, which is crossing another redline. That was supposed to be a redline with North Korea: They were not going to restart that reactor, but they did. And not even Fox News has mentioned it. You know, that reactor produces enough plutonium for two atomic bombs a year.
On Friday, Maariv, an Israeli newspaper, reported that interviews with Israeli government experts – Israeli experts who have elected to remain anonymous – show they believe that the redline in Iran has already been crossed and that it’s too late to stop Iran from getting a nuclear weapon.
They concluded that Iran has probably already developed at least one nuclear weapon. And you know, I think that that is so. Congressman Bartlett and I two years ago wrote an article in the Washington Times warning that Iran may already have the bomb. It just astonishes me that we have this – you know, that we truly are a culture of strategic optimists. I mean here’s a country [Iran] that’s had a nuclear weapons program for 30 years – 30 years! And, supposedly, in 30 years they haven’t been able to build an atomic bomb when the United States in World War II, in the Manhattan Project, working with 1930s-1940s era technology, built two atomic bombs of completely different design in just three years.
And the Iranians had help from North Korea, the Russians and Chinese, and, yet, we say that it’s still a year before they’re going to get the bomb! Why do we think that? Because the Iranians told the UN International Atomic Energy Agency inspectors, supposedly, exactly how many centrifuges they really have. The Administration’s calculations are all based on information provided by Iran to the IAEA.
You know, the last thing – building on what Jim Woolsey said – if you pull all of this together, you know, the EMP, the cyber warfare, with the doctrine – the adversary doctrine of the Russians, the Chinese, North Koreans. To them cyber warfare, information warfare, is not just computer viruses. They may use kinetic attacks like those AK-47s that were used in San Jose – all the way up to nuclear EMP attack. And it’s almost like, over the past several years, we’ve seen a dry run happening.
They’ve been attacking us, maybe not doing everything that they could. I think that these things are more like exploratory scouting expeditions to see how vulnerable our critical infrastructures really are to their viruses and those kinds of attacks. Now, we’ve had a couple of instances where we had kinetic attacks on transformers. The San Jose one was clearly professional. They haven’t found those so-called vandals. We don’t know who they were, and they were using AK-47s when they did it.
That North Korean freighter that was stopped for smuggling drugs to Panama had SA-2 missiles on it. Now, that is a nuclear-capable surface-to-air missile. The Russians designed it so that it could carry a nuclear warhead. Now, they didn’t have nuclear warheads on them. But it’s just fascinating that it just happened to be discovered by accident – because they were investigating the freighter for smuggling drugs – that we found that here’s a North Korean vessel that brought a nuclear-capable missile into the Caribbean, which was the EMP Commission’s nightmare scenario.
Our worst-case scenario was that Iran or North Korea or somebody would put a short-range missile, or some kind of missile, on a freighter and do an EMP attack from a freighter, launch it up over the East Coast of the United States. And here we’ve actually found a freighter that had a nuclear-capable missile in it, discovered just by accident when it was trying to go through the Panama Canal. How many other things have been going on like that? So you’ve got all the building blocks here, and I wonder how much time we have. I wonder how much time.
The last thing I will mention is the complexity of our world now and all the different pathways in which things could lead to apocalypse. I mean 99 years ago, this August just past, World War I started because the political and military leadership of the time were overwhelmed by the technology of the time. The technology involved in the act of mobilizing armies was something they didn’t anticipate, the complexity of it, the risk of trying to de-escalate once mobilization had started.
So all it took was one bullet from a Serbian terrorist to send us down a path that our great minds of the time, the political and military leaders and the crowned heads of Europe, could not control. They could not control it. How much more complex is the technology and the difference between war and peace today? Then, the decision between war and peace was based on days and weeks. Now it’s minutes and seconds, and extremely potentially fallible and cyber-vulnerable satellite systems – and all kinds of bad guys out there who would love to see an apocalypse that would take out the United States and Russia both.
There’s just one last thing I want to mention. Thursday, the Russians finished Zapad 13, which is a big military exercise that they held. Again, another thing that hasn’t been mentioned in the press, while they’re negotiating with us on behalf of the Syrians. And this exercise, by the way, was witnessed by President Putin and Aleksandr Lukashenka, President of Belarus. It was a joint exercise between Russia and Belarus that in a matter of a couple of days delivered 22,000 troops from central Russia to the gates of Poland and the Baltic states – 22,000 troops. That is almost exactly the same number of the active duty personnel in the combined armed forces of Lithuania, Latvia, and Estonia – 22,000.
And there were enormous protests. Poles, I think accurately, objected that the exercise featured a simulated nuclear strike on Warsaw. So here’s just another thing that the Western press seems to have no interest in whatsoever that might perhaps raise some questions about the sincerity of our Russian negotiating partners in Syria and the like. Anyway, thank you for letting me get all those events off my chest. What their collective significance is yet, I hope, will come to no significance.
Next-Generation Space & Cyber War
By William B. Scott
Former Editor, Aviation Week/ Author of the best selling “SpaceWars” and “CounterSpace” and “The Permit”, Senior Fellow, American Center for Democracy
The Video Presentation: Click here to play
John Kenneth Galbraith once said, “Only a fool tries to predict the future.” If that’s so, there’s an abundance of well-paid jokers in prestigious think tanks and on cable TV talk shows. However, a much larger-and less-well-paid-group of hopelessly afflicted prognosticators can be found in the ranks of fiction writers. Science fiction and techno-thriller authors, in particular, can’t resist future-gazing; it’s in our DNA to dream up an engaging story by starting with a simple question: “What if…?”
History suggests that writers have a better track record of foreseeing world events and technological advancements than think-tankers and TV talking heads do. Or maybe not. One school of thought says fiction writers don’t really predict the future; their stories merely prompt policymakers or scientists and engineers to think differently about a problem, and events unfold along the same lines sketched by authors.
Having worked as both an engineer and aerospace journalist, I can testify that writing techno-thriller novels is more fun than solving real-world technical problems and reporting hard news. Authors can dream up wild stories and high-tech weapons, yet never worry about annoying constraints like facts and physics. We rarely have to be concerned how a futuristic system would actually be designed, built and employed.
That said, authors are pleasantly surprised when future-gazing scenarios and systems they wrote about years earlier actually come to pass. Rather than predicting the future, though, I think we merely look at a geopolitical situation or technology and extrapolate forward several years.
I’d like to share some of the futuristic space-related capabilities that started as “What ifs,” and ultimately were incorporated into our “Space Wars” and “Counterspace” novels. Please consider the potential impacts, if America’s smart scientists and engineers actually developed and fielded the following:
* A MASER beam weapon that disables an adversary’s satellite, by creating mini- electromagnetic pulses in electronic systems. It’s feasible, and sources claim it’s been done in the Navy’s China Lake labs, by initially firing a laser to create a momentary “waveguide” or “filament” through the atmosphere, then firing a MASER’s microwave pulse down that channel.
* Hypervelocity weapons delivered from a piloted spaceplane in low-Earth orbit. Basically a titanium bar boosted by a rocket, these “Rods from God” can take out an underground nuclear facility without an explosive. A dense-material “warhead” propelled at hypersonic speed delivers a tremendous amount of kinetic energy in a brief time span. Basically, a Rod from God has the impact of a tactical nuclear weapon-but is covert and leaves nothing behind that can be traced to the U.S.
* Space-based “Angels and Demons.” “Angels” are small, stealthy spacecraft deployed in-orbit to protect our own high-value satellites. “Demons” hover near an adversary’s satellite, quietly waiting. In an emergency, “Demons” can be activated and ram the bad guy’s satellite to disable it. If a “soft kill” is warranted, a Demon might just squirt “slime” onto a target’s optics to temporarily blind a reconnaissance bird.
* A “Hoover” anti-satellite system. This is a stealthy spacecraft that could vacuum-up debris left in orbit by China’s 2007 hit-to-kill test, for example, then park behind an active Chinese military satellite. During a conflict, “Hoover” could silence its neighbor by firing orbital debris at the satellite. People’s Liberation Army forensics experts would have to conclude that they’d “shot themselves down” with their own space junk.
In the cyberwar realm, here are some futuristic weapons and information warfare scenarios my coauthors and I dreamed up, starting with a “What if…?” question:
* Employing modern American fighter aircraft fitted with advanced electronically scanned array or AESA radar systems to launch a covert attack against an adversary’s oil refinery and shipping port. In our Counterspace novel, AESA radar beams fired by stealthy F-22 Raptor and F-35 Lightning II fighters are combined to create mini-EMPs that destroy microprocessors and electronics circuitry in a Venezuelan oil refinery’s control system. Valves randomly open and close, creating havoc and extensive damage throughout the oil-handling and shipping complex. Bottom line: Hugo Chavez[‘s successor] couldn’t ship a drop of oil for months, causing massive economic problems-and he had no idea what hit him.
* An electromagnetic or electrostatic system that remotely disrupts the electrical activity of a human heart. Fired from a drone or aircraft, these tailored signals trigger heart attacks and strokes, covertly killing a rogue nation’s dictator or terrorist cartel’s leaders.
* “Smart Dust” to locate and neutralize terrorists. Tiny, nano-scale systems that can be programmed to operate cooperatively would be scattered from the air over a target community. Microscopic “Hunter-Bots” could be programmed to search for the DNA of a particular suicide bomber. When they get a match, they’d clear in companion “Killer- Bots,” which would be injested by a terrorist’s wife, children or siblings. Bio agents coating the Killer-Bot nanoparticles would radically alter the target’s behavior, ultimately causing considerable shame to be heaped on the suicide bomber’s memory. Soon, nobody volunteers to strap on the suicide belt.
* The ultimate cyber attack might be a biostatic signal that affects a person’s brain, by altering his thoughts. Maybe a wannabe suicide bomber’s thinking could be reprogrammed, inspiring him to leave his explosive vest in the attic and just keep driving the cab.
* Along the same line, what if biostatic signals could be tailored to a person’s DNA, enabling the insertion of false images into a specific target’s brain? He THINKS he sees an object with his eyes, but the object isn’t really there. It only exists as an image in his brain, created by engineered biostatic signals beamed from a stealthy drone. The target could no longer tell the difference between what’s real and what his brain falsely registers as if it were seen through his eyes.
What might be the effect of “brain-spoofing”-inserting false imagery? Maybe a political or military leader would conclude that he’s hallucinating and going crazy. Could that leader rapidly lose the confidence and trust of subordinates, rendering him ineffective?
Bottom line: Brain-spoofing and cyberwar weapons designed to interact with human biological systems would be invaluable for instilling fear, doubt and division in an enemy force.
Such wild-eyed concepts and scenarios may be confined to the realm of fiction, never to be realized in the real world. But perhaps the mere possibility that they could be developed and fielded is enough to neutralize threats. That’s why authors and screenwriters are a form of cyberwarrior. Historically, fiction/entertainment has been employed as one of mankind’s most powerful vehicles for shaping perceptions. Stories are no-harm, no-foul vehicles, allowing one to suspend skepticism and barriers to belief. After all, we’re just being entertained, right?
Hollywood’s been using subliminal programming quite effectively for decades. For example, movies in the 1950s and ’60s, such as “On The Beach” and “Dr. Strangelove,” portrayed the horror of nuclear war in vivid, personal terms. Did stark movies and literature of the time help shape policies and decisions that prevented nuclear war? It’s hard to tell, but maybe they inspired us to collectively decide, “Let’s not go there.
A second example: “The China Syndrome,” a gripping movie about a nuclear reactor meltdown, was released in 1979. About three weeks later, the real-world Three-Mile Island reactor accident occurred. The combination of movie and real-world accident virtually killed the nuclear power industry for more than thirty years.
Perhaps it’s a stretch to classify fiction and entertainment as “soft cyberwar,” but what if…? What if fiction authors and Hollywood screenwriters were engaged to create entertainment featuring advanced, horrific weapons and tactics that instilled fear and dissension among terrorist bands and deadly criminal cartels? What if these stories rapidly spread throughout a culture via books, TV shows, the Internet and movies, capitalizing on the power of entertainment to shape perceptions?
What if such a campaign were already underway? Maybe it is.
Cyber Survival: Why We’re Losing and What’s Needed to Win
By Steven Chabinsky
Former Deputy Assistant Director, FBI Cyber Division, Senior Vice President of Legal Affairs and Chief Risk Officer, CrowdStrike
The Video Presentation: Click here to play
Cyber security is not just about the computer on your desk, or even the remote computer sitting somewhere in what we now call the cloud. A different way of looking at it is to consider cyber security an issue that concerns any technology that has a computer chip in it. Cyber security issues extend to information and information systems, and increasingly they extend to products and services we use in our day-to-day lives. We are facing a technology issue in which similar vulnerabilities exist to your information as they do, for example, to the new generation of biomedical implant devices that allow for remote diagnostics.
When we think about the harms that can befall our information, information systems, products and services, we typically categorize them into categories involving risk to their confidentiality, integrity, and availability. Everyday in the newspapers we read about harms to confidentiality. Everyday someone’s online data is compromised and corporate trade secrets stolen. But, that’s not what keeps most people up at night.
Rather, the possibility of having integrity problems, where you cannot trust the data that you’re seeing, is a far greater problem. The idea that you could alter perceptions through technology is the digital equivalent of the Mission Impossible movie where a security camera is in the corner of a room, but the night watchman is deceived by the spy who created a picture of the room empty, put it at the right focal length in front of the camera, and then went on to do anything in the room he wanted.
The cyber equivalent is happening now. Indeed, it happened ten years ago to the electric power grid, when software failures in an Ohio operations center resulted in computer screens that never updated to reflect the developing, and increasingly bleak, situation. As far as the control room was concerned, everything was great. Meanwhile, there was a rolling blackout and the Midwest witnessed the shut down of over 250 power plants that included 10 nuclear power stations. So, you might be inclined to say, “but that wasn’t from a hacker, I remember it was merely a computer glitch.” You would be right. Still, I’m reminded of the saying that anything that can happen by accident can happen on purpose. In other words, just because this particular example was accidental, don’t feel a false sense of hope that the next time it won’t be intentional and calculated to result in maximum harm.
In addition to crimes against confidentiality and integrity, we are concerned with issues of availability. Talks about availability tend to focus on Distributed Denial of Service, or DDoS, attacks, the idea that somebody is sending so much traffic to a website or server that nobody can access it. Worse yet, though, you might have seen what happened last year to Saudi Aramco, the most valuable company in the world, which reportedly fell victim to a malware infection that purposefully destroyed 30,000 of their computers. Yes, thirty thousand.
As you can see, cyber security concerns extend beyond someone viewing your personal information. The big-ticket items involve information and technology that is rendered unreliable, untrusted, and left irreplaceably in ruins. As to these issues, Bill Forstchen’s novel, One Second After must be considered one of the most significant works of our time. In it, we are exposed to the nightmares of what happens when technology is no longer available to us. One of the most remarkable aspects of the novel in my view, the core of its brilliance, is that it is set in a small town, an area that is rural and not densely populated, where you would consider it most likely that people can survive without technology. Yet, even there we find utter chaos, confusion, and death. You can only extrapolate from that small town to imagine what is happening in the major cities.
And so, when I hear people talk about a cyber 9/11, or a cyber Pearl Harbor, I’m quite dismissive of those as being appropriate analogies. Instead, what I believe is that we very much might face the equivalent of a cyber Katrina. Where we don’t have resources, we don’t have potable water, we don’t have electricity. What we have are all of the cascading harms that are reflected in Bill Fortschen’s writings, which are every bit or more as devastating as planes with bombs or planes as bombs. These effects are real possibilities, and nations recognize it. Only a couple of years ago, the China Youth Daily featured an article expressing, “Just as nuclear warfare was the strategic war of the industrial era, cyber-warfare has become the strategic war of the information era, and this has become a form of battle that is massively destructive and concerns the life and death of nations.”
Non-nuclear electromagnetic pulse is certainly an emerging threat against availability and, as a result, an emerging risk to our very way of life. I greatly appreciate the efforts of the American Center for Democracy in bringing thought leadership and emphasis to this important topic. Of more immediate concern, however, may be EMP’s baby brother, “purposeful interference,” more commonly known as jamming. We already are seeing people with $25 illegal jammers interfere with the electromagnetic spectrum, most commonly focused on impeding mobile communications. Think about a situation that requires emergency responders to talk with each other, perhaps an active shooter scenario, hindered through purposeful interference.
We are only now beginning to understand how reliant we have become on wireless devices. But, it’s not just about your phone calls, although it certainly includes those. It’s not just about being able to check your email, although it includes that as well. In addition, it may be about critical infrastructure and the ability, for example, to change train tracks through wireless communications. And then we have GPS. When people think about GPS they immediately think about positioning and navigation. But an additional feature of GPS that we’ve grown increasingly reliant upon is its timing signal. And so, if you could interfere with GPS, the timing elements that we’ve relied upon for interoperability and synchronization of networked systems could be rendered inadequate, if not entirely useless.
Stepping back for a moment, we are forced to take in the entire picture of how vulnerable all of our data and systems are, how they can impact our critical infrastructure, our privacy, and even our personal health. On top of that, we must consider the world economy. Everybody knows that our economy no longer runs on a gold standard. There’s no precious metal that reflects every dollar we have. However, what most people don’t stop to consider is that there is no physical dollar that represents every dollar we have. At the end of the day, these are mostly accounting entries that get rationalized in the trillions of dollars, and the integrity of that data is what makes up the world’s economy.
Yet, despite our increasing reliance upon data integrity and security, our culture has created a demand for products and services that are quick to market without resilience, or reliability, or secondary systems in place should our new, untested ways fail. This is quite serious, and I appreciate the opportunity to discuss this with everyone here in order to focus our mutual efforts on improved security.
[Rachel Ehrenfeld: What do you think can be done?]
I think that there are solution sets. One thing, I believe, is that we have failed in a meaningful way to exercise common enterprise risk management principles in this area. We tend to treat the entire Internet and our technologies as needing to share a common environment. It is almost as though we think everyone needs the same levels of privacy and security, and as a result that everyone should use the same Internet protocols and standards for interoperability. This is quite preposterous. When I go to the gas station, I can’t use a diesel pump to put gas in my regular car. The nozzle simply won’t fit. But when I was working at the FBI, I had an unclassified computer, a secret computer, and a top-secret computer, and I could use the same thumb drive to move data back and forth between all of them (although I didn’t). The computers were differentiated only by the stickers we put on them, indicating their classification levels. The computers themselves were the same computers that are available to you in any common consumer store. So that’s the first thing. That has to change. We’ve got to figure out that there are different priorities and that our security posture needs to be different depending on those priorities.
The second thing is, you cannot have meaningful security without meaningful threat deterrence unless we all decide to live in a bunker. It’s just not a possibility. When you think through the risk model, you only have three levers to work from. You could lower the threat, you can lower the vulnerability, or you can lower the consequences. That’s what you get to play with; those are your opportunities. We have seen the almost tunnel-like focus on vulnerability mitigation over the past 15 years. It is impossible to create software and hardware that is interoperable, impenetrable, and iterative. That is as absurd, or actually more absurd, than thinking of creating physical environments where communities are impervious to intentional attack. It is not in any way, shape, or form a possibility. It is even worse, I would postulate, in the technology area because it’s less static than a building. Technology is dynamic; it is constantly evolving with new software, new hardware, and new applications, with each one being quicker to market than the earlier version.
What you see as a result of this is that vulnerability mitigation has worked best in the area of reducing cyber crimes of opportunity, and even then it has serious limitations. We patch our systems, we update our software, and as a result the common criminal doesn’t break into those better-protected systems. They break into the systems that haven’t done that. That’s the same as in the real world. If someone just wants a TV, and your house has the door locked, they don’t go to your house; they go to the one that doesn’t have the door locked. Now, query for a second if everybody locked their doors what would happen? You would see a shift. Burglars would start going through windows, and vulnerability mitigation practices would repeat themselves in that context. In essence, best practices would be raised to protect doors and windows.
Obviously there’s a point where vulnerability mitigation efforts need to stop. We don’t start first with locks on doors, then with locks on doors and windows, then with bars on doors and windows, and then with underground bunkers. That’s not how it works. Instead, we immediately shift to threat deterrence once standard vulnerability mitigation opportunities are no longer cost effective. We put up alarms, we put up video cameras, and those basically say to the adversary: we concede the ground, but now it’s no longer about us. It’s about you. You can get in, but now we’re going to detect you, we’re going to find you, and you will suffer a penalty. It won’t be worth it for you.
Could you imagine if in your place of business the alarm went off at 3:00 in the morning, and the monitoring company calls you. And they say: someone just broke through the front door of your place of business, but don’t be concerned we have the locksmith on the way. How absurd, right? We don’t do that. We call the police. And that is the only reason why burglars don’t like to rob places that have alarm systems. It’s not the noise that bothers them.
Yet, every day, tens of thousands of times a day, across this country we have enemies who are trying to break into our critical infrastructure, into our military institutions, and the response has been to tell the chief information security officer: Make sure you’re continuously monitoring to patch your systems. It doesn’t work, it won’t work, it will never work. So the next strategic opportunity is after we figure out what’s important, to make sure that we build the software, hardware, and protocols necessary for detection, attribution, and penalty based deterrence.
There are opportunities here that, I think, actually are a happy coincidence. I would suggest that in a lot of areas where security is the most needed, privacy rights are actually not the most necessary. Take the electric power grid, for example. The electric power grid is a high security system in which the owners and operators do not want or need anonymity. No one who isn’t authorized should be touching those systems. The owners, operators, and employees of an electric power company want perfect attribution. So that’s an area that’s ripe for new software, new hardware, new security policies, and less interoperability, all of which should add up to say to would-be attackers: if you are found in our infrastructure (and you will be, because we have designed this system for detection and attribution), there will be penalties.
So, I think there are opportunities, but the first step is to distinguish what we need to protect most, to build in proper threat deterrent models that promote detection and attribution consistent with privacy demands, and then to ensure that policies and resources are in place that will make the possibility of our adversaries being brought to justice a reality.
[starHor]
EMP, Cyber/Space Warfare Question & Answer
Video Presentation: Click here to play
EMP, Cyber/Space Warfare Roundtable – Complete Discussion
Video Presentation: Click here to play